NINJIO PCI is targeted at any user within an organization who either has access to credit card data behind the scenes or who is an employee who handles credits cards as part of their day-to-day responsibilities.
With the number of restaurants and retail employees handling large numbers of credit cards daily, our 4th PCI compliance episode is intended as a “stand-alone” focusing exclusively on “card handling.” We did this so that if you only need to train your front-line people on card handling, the 4th episode would suffice.
Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.
This requirement applies to employee-owned and company-owned portable computing devices. Systems that cannot be managed by corporate policy introduce weaknesses and provide opportunities that malicious individuals may exploit. Allowing untrusted systems to connect to an organization’s CDE could result in access being granted to attackers and other malicious users.
Never send unprotected PANs by end-user messaging technologies (for example, email, instant messaging, SMS, chat, etc.).
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers) Note: this applies to any employee-owned devices that are allowed on the network and not managed under an MDM program.
Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users unless specifically authorized by management on a case-by-case basis for a limited time period.
Limit access to system components and cardholder data to only those individuals whose job requires such access.
Maintain strict control over the storage and accessibility of media.
Destroy media when it is no longer needed for business or legal reasons.
Examine the periodic media destruction policy and verify that it covers all media and defines requirements.
Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hardcopy materials cannot be reconstructed period.
Shred, incinerate, or pulp hard copy materials so that cardholder data cannot be reconstructed.
Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
Regularly test security systems and processes.
Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.